IPSec

Juniper SRX IPSec Quick Commands

Juniper SRX IPSec Quick Commands

Over the last couple of years, the company I work for has become more and more involved in looking after customer SRX firewalls, either as a managed service, or simply on a remote technical support basis. Quite a lot of those customers have IPSec tunnels numbering in the hundreds (the biggest has 850+ on an SRX240 cluster, which is approaching the 1000 tunnel limit supported by the SRX240 platform), and whilst that isn’t a huge number where models like the SRX3xxx or SRX54xxx line is concerned, it’s still a huge number to have to parse through and diagnose issues. As a consequence, I started saving simple Linux command combinations for parsing the SRX output, so what follows are Juniper SRX IPSec quick commands, which I’ll add too as time goes on.

Show IPsec Tunnels Based on Index Value

OK, so you’ve got 850 tunnels, of which 250 are related to one customer. You need to show detailed information for a report, or log purposes. First, run ‘show security ipsec security-associations | match <remote_peer_ip>’ (1.2.3.4) in my example –

 <955 ESP:aes-cbc-256/sha1 7adbd7ba 1723/ unlim - root 500 1.2.3.4 
 >955 ESP:aes-cbc-256/sha1 c1a8e6d0 1723/ unlim - root 500 1.2.3.4 
 <963 ESP:aes-cbc-256/sha1 c261b766 6461/ unlim - root 500 1.2.3.4 
 >963 ESP:aes-cbc-256/sha1 9808343e 6461/ unlim - root 500 1.2.3.4 
 <969 ESP:aes-cbc-256/sha1 b61ef91a 7901/ unlim - root 500 1.2.3.4 
 >969 ESP:aes-cbc-256/sha1 d459398f 7901/ unlim - root 500 1.2.3.4 
 <472 ESP:aes-cbc-256/sha1 1ee64eea 7696/ unlim - root 500 1.2.3.4 
 >472 ESP:aes-cbc-256/sha1 116bae2f 7696/ unlim - root 500 1.2.3.4 
 <961 ESP:aes-cbc-256/sha1 b95d7d52 3967/ unlim - root 500 1.2.3.4 
 >961 ESP:aes-cbc-256/sha1 2181b470 3967/ unlim - root 500 1.2.3.4 
 <927 ESP:aes-cbc-256/sha1 5b329b28 8232/ unlim - root 500 1.2.3.4 
 >927 ESP:aes-cbc-256/sha1 818e8e95 8232/ unlim - root 500 1.2.3.4 
 <913 ESP:aes-cbc-256/sha1 f0c86d2b 6481/ unlim - root 500 1.2.3.4 
 >913 ESP:aes-cbc-256/sha1 86e6ac9d 6481/ unlim - root 500 1.2.3.4 
 <849 ESP:aes-cbc-256/sha1 44636b47 3327/ unlim - root 500 1.2.3.4 
 >849 ESP:aes-cbc-256/sha1 f0bb1e56 3327/ unlim - root 500 1.2.3.4 
 <959 ESP:aes-cbc-256/sha1 f7134e72 5356/ unlim - root 500 1.2.3.4 
 >959 ESP:aes-cbc-256/sha1 ca7c6ca4 5356/ unlim - root 500 1.2.3.4 
 <919 ESP:aes-cbc-256/sha1 a8d17b61 2110/ unlim - root 500 1.2.3.4 
 >919 ESP:aes-cbc-256/sha1 f1dba7f2 2110/ unlim - root 500 1.2.3.4 
 <925 ESP:aes-cbc-256/sha1 a8656ce1 7193/ unlim - root 500 1.2.3.4 
 >925 ESP:aes-cbc-256/sha1 7fac5d04 7193/ unlim - root 500 1.2.3.4 
 <479 ESP:aes-cbc-256/sha1 c1e43feb 7300/ unlim - root 500 1.2.3.4 
 >479 ESP:aes-cbc-256/sha1 f40830b5 7300/ unlim - root 500 1.2.3.4 
 <847 ESP:aes-cbc-256/sha1 9981358f 27442/unlim - root 500 1.2.3.4 
 >847 ESP:aes-cbc-256/sha1 ee0041be 27442/unlim - root 500 1.2.3.4 
 <967 ESP:aes-cbc-256/sha1 176837ff 8747/ unlim - root 500 1.2.3.4 
 >967 ESP:aes-cbc-256/sha1 1ebfca2 8747/ unlim - root 500 1.2.3.4 
 <981 ESP:aes-cbc-256/sha1 bc8158c1 6710/ unlim - root 500 1.2.3.4 
 >981 ESP:aes-cbc-256/sha1 d47ddf1e 6710/ unlim - root 500 1.2.3.4 
 <915 ESP:aes-cbc-256/sha1 deb2e014 8053/ unlim - root 500 1.2.3.4 
 >915 ESP:aes-cbc-256/sha1 1552f027 8053/ unlim - root 500 1.2.3.4 
 <857 ESP:aes-cbc-256/sha1 1f77087b 7264/ unlim - root 500 1.2.3.4 
 >857 ESP:aes-cbc-256/sha1 bdcc90f 7264/ unlim - root 500 1.2.3.4 
 <923 ESP:aes-cbc-256/sha1 2761d752 6389/ unlim - root 500 1.2.3.4 
 >923 ESP:aes-cbc-256/sha1 59bcc562 6389/ unlim - root 500 1.2.3.4 
 <965 ESP:aes-cbc-256/sha1 289fc4a1 8045/ unlim - root 500 1.2.3.4 
 >965 ESP:aes-cbc-256/sha1 4ad83567 8045/ unlim - root 500 1.2.3.4 
 <853 ESP:aes-cbc-256/sha1 b9dfde99 5515/ unlim - root 500 1.2.3.4 
 >853 ESP:aes-cbc-256/sha1 63fe23a2 5515/ unlim - root 500 1.2.3.4 
 <973 ESP:aes-cbc-256/sha1 ec3def97 5246/ unlim - root 500 1.2.3.4 
 >973 ESP:aes-cbc-256/sha1 e7b6fd05 5246/ unlim - root 500 1.2.3.4 
 <917 ESP:aes-cbc-256/sha1 30d89c7c 6650/ unlim - root 500 1.2.3.4 
 >917 ESP:aes-cbc-256/sha1 6918cd5a 6650/ unlim - root 500 1.2.3.4 
 <987 ESP:aes-cbc-256/sha1 16f1dd88 5762/ unlim - root 500 1.2.3.4 
 >987 ESP:aes-cbc-256/sha1 8b0b08cc 5762/ unlim - root 500 1.2.3.4 
 <941 ESP:aes-cbc-256/sha1 3875c290 9003/ unlim - root 500 1.2.3.4 
 >941 ESP:aes-cbc-256/sha1 827e5a3 9003/ unlim - root 500 1.2.3.4 
 <1011 ESP:aes-cbc-256/sha1 8cd1107d 8409/ unlim - root 500 1.2.3.4 
 >1011 ESP:aes-cbc-256/sha1 d8d41c4a 8409/ unlim - root 500 1.2.3.4 
 <1009 ESP:aes-cbc-256/sha1 378df4a 8684/ unlim - root 500 1.2.3.4 
 >1009 ESP:aes-cbc-256/sha1 111a9b87 8684/ unlim - root 500 1.2.3.4 
 <991 ESP:aes-cbc-256/sha1 a1b94904 6334/ unlim - root 500 1.2.3.4 
 >991 ESP:aes-cbc-256/sha1 be9b3b07 6334/ unlim - root 500 1.2.3.4 
 <975 ESP:aes-cbc-256/sha1 d9bdff5d 5147/ unlim - root 500 1.2.3.4 
 >975 ESP:aes-cbc-256/sha1 d2b9a1c0 5147/ unlim - root 500 1.2.3.4 
 <855 ESP:aes-cbc-256/sha1 f0cc56e0 8902/ unlim - root 500 1.2.3.4 
 >855 ESP:aes-cbc-256/sha1 c8671fe 8902/ unlim - root 500 1.2.3.4 
 <1005 ESP:aes-cbc-256/sha1 33f7c862 4234/ unlim - root 500 1.2.3.4 
 >1005 ESP:aes-cbc-256/sha1 1ae9d135 4234/ unlim - root 500 1.2.3.4

Running ‘show security ipsec security-associations index <index value> detail’ against each of those will take AGES!! Try this instead –

cat << EOF | sed '/>/d' | awk '{print $1}' | sed 's/</show security ipsec security-associations index /' | sed 's/$/ detail/'

Once you hit enter, paste in the output from the SRX ‘show’ command, and type ‘EOF’ at the end. What you’ll get is –

show security ipsec security-associations index 955 detail
show security ipsec security-associations index 963 detail
show security ipsec security-associations index 969 detail
show security ipsec security-associations index 472 detail
show security ipsec security-associations index 961 detail
show security ipsec security-associations index 927 detail
show security ipsec security-associations index 913 detail
show security ipsec security-associations index 849 detail
show security ipsec security-associations index 959 detail
show security ipsec security-associations index 919 detail
show security ipsec security-associations index 925 detail
show security ipsec security-associations index 479 detail
show security ipsec security-associations index 847 detail
show security ipsec security-associations index 967 detail
show security ipsec security-associations index 981 detail
show security ipsec security-associations index 915 detail
show security ipsec security-associations index 857 detail
show security ipsec security-associations index 923 detail
show security ipsec security-associations index 965 detail
show security ipsec security-associations index 853 detail
show security ipsec security-associations index 973 detail
show security ipsec security-associations index 917 detail
show security ipsec security-associations index 987 detail
show security ipsec security-associations index 941 detail
show security ipsec security-associations index 1011 detail
show security ipsec security-associations index 1009 detail
show security ipsec security-associations index 991 detail
show security ipsec security-associations index 975 detail
show security ipsec security-associations index 855 detail
show security ipsec security-associations index 1005 detail

Awesome!

Basically, the command process is –

  • cat << EOF – Concatenate data into the cat buffer until you see ‘EOF’
  • sed ‘/>/d’ – Use Sed to remove any lines which start with a > character
  • awk ‘{print $1}’ – Use awk to print out the first column of the output (our IPSec SA ID)
  • sed ‘s/</security ipsec security-associations index /’ – Use sed to replace the < character with ‘show security ipsec security-associations index ‘
  • sed ‘s/$/ detail/’ – Use sed to add ‘ detail’ onto the end of each line.

Show IPsec Phase 2 Tunnels Based on VPN Name

Using the example above, here’s a similar process for getting the same output, but based on IPSec VPN name. Run ‘show configuration security ipsec | display set | match <value>’ to get the IPSec Phase 2 tunnel information. For example –

set security ipsec vpn SB-MG-ANTIVIR-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-ANTIVIR-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-ANTIVIR-234 establish-tunnels immediately
set security ipsec vpn SB-MG-ANTIVIR-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-ANTIVIR-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-ANTIVIR-237 establish-tunnels immediately
set security ipsec vpn SB-MG-P2PE-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-P2PE-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-P2PE-234 establish-tunnels immediately
set security ipsec vpn SB-MG-P2PE-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-P2PE-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-P2PE-237 establish-tunnels immediately
set security ipsec vpn SB-MG-APPL2-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-APPL2-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-APPL2-234 establish-tunnels immediately
set security ipsec vpn SB-MG-APPL2-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-APPL2-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-APPL2-237 establish-tunnels immediately
set security ipsec vpn SB-MG-WSUS-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-WSUS-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-WSUS-234 establish-tunnels immediately
set security ipsec vpn SB-MG-WSUS-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-WSUS-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-WSUS-237 establish-tunnels immediately
set security ipsec vpn SB-MG-TERMSERV-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-TERMSERV-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-TERMSERV-234 establish-tunnels immediately
set security ipsec vpn SB-MG-TERMSERV-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-TERMSERV-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-TERMSERV-237 establish-tunnels immediately
set security ipsec vpn SB-MG-DNS-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-DNS-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-DNS-234 establish-tunnels immediately
set security ipsec vpn SB-MG-DNS-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-DNS-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-DNS-237 establish-tunnels immediately

Here’s the command to filter that into a show command for the index value –

cat << EOF | grep "ipsec-policy" | sed 's/set/show/' | sed 's/vpn/security-associations vpn-name/' | awk '{print $1,$2,$3,$4,$5,$6}' | sed 's/$/ detail/'

The logic of the above command is based on the fact that every IPSec VPN tunnel will ALWAYS have an ‘ipsec-policy’ defined.

The output becomes –

show security ipsec security-associations vpn-name SB-MG-ANTIVIR-234 detail
show security ipsec security-associations vpn-name SB-MG-ANTIVIR-237 detail
show security ipsec security-associations vpn-name SB-MG-P2PE-234 detail
show security ipsec security-associations vpn-name SB-MG-P2PE-237 detail
show security ipsec security-associations vpn-name SB-MG-APPL2-234 detail
show security ipsec security-associations vpn-name SB-MG-APPL2-237 detail
show security ipsec security-associations vpn-name SB-MG-WSUS-234 detail
show security ipsec security-associations vpn-name SB-MG-WSUS-237 detail
show security ipsec security-associations vpn-name SB-MG-TERMSERV-234 detail
show security ipsec security-associations vpn-name SB-MG-TERMSERV-237 detail
show security ipsec security-associations vpn-name SB-MG-DNS-234 detail
show security ipsec security-associations vpn-name SB-MG-DNS-237 detail

Neat. I can’t tell you how many times those commands have saved me hours of tedious typing in a terminal!

Clearing IPSec Tunnels

Finally, here’s a last one which refreshes IPSec Phase 2 tunnels. Be careful with this, as it’s possible to do damage and interrupt tunnel traffic. Use the ‘show security ipsec security-associations | match <peer_ip>’ output to filter against the remote peer concerned.

cat << EOF | sed '/>/d' | awk '{print $1}' | sed 's/</clear security ipsec security-associations index /'

Enjoy a nice cuppa with the time saved :)